Open methodology

How the online presence audit works

Every score comes from a defined set of checks. Here is what Millwards Online fetches, how it turns signals into priorities and where an automated website audit stops.

The short version: Millwards Online requests one public page and standard discovery files, examines the HTML and server response, then applies weighted rules across six categories. It does not log in, alter the website or expose premium findings in the free response.

Audit scope

The audit is built as a quick first-pass diagnostic for small-business websites. It checks the exact public web address supplied. The fetcher may follow up to five ordinary redirects to reach the final page and also looks for the site’s public /robots.txt and /sitemap.xml files.

The service uses normal HTTP or HTTPS requests with a named audit user agent. It does not need a content-management-system login, submit forms or make changes. Requests use time, size, network and rate limits, and private network addresses or unsafe destinations are blocked.

Optional business name and location fields make two checks more relevant: whether the trading name appears in visible copy, and whether the stated service area or a UK postcode can be detected. They do not change the underlying page fetched.

What happens during a scan

  1. 1Validate the addressThe service accepts a safe, publicly reachable HTTP or HTTPS website address and rejects private or unsuitable network targets.
  2. 2Fetch the public pageIt follows a limited redirect path and records the final address, response status, response time, headers and HTML document.
  3. 3Read detectable signalsThe HTML is parsed for metadata, headings, links, visible text, images, forms, buttons, structured data and other defined signals.
  4. 4Check discovery filesThe site root is checked for crawler instructions and XML sitemap discovery where publicly available.
  5. 5Score each ruleEvery rule receives a pass, warning or fail result and a weight based on its relative importance in this diagnostic.
  6. 6Build the reportCategory scores, an overall grade, findings and an ordered action plan are assembled. The free view receives only the designated public detail.

The result is a snapshot of the response returned at that moment. A later scan can differ because the website, server, route, content or availability has changed.

Checks by category

Technical

Can visitors and crawlers reach a sound foundation?

HTTPS, final response status, redirect length, selected browser security headers, canonical address, robots.txt and XML sitemap discovery.

Search

Does the page explain itself to search systems?

Title and meta-description presence and length, one primary heading, heading order, noindex instruction, JSON-LD, local-business schema and core Open Graph fields.

Content

Can a potential customer understand and act?

Approximate visible word count, image alternatives, internal links, a clear contact or enquiry path and—when supplied—visible business-name consistency.

Trust

Are there basic signals of a real, contactable business?

Direct contact details or a form, privacy and About links, recognised social or map profiles and a visible postcode or supplied service location.

Accessibility

Are important structural basics present?

Mobile viewport, document language, detectable form labels, accessible button names and a keyboard skip link.

Performance

Does the initial document show obvious weight or delay?

Measured server-side fetch time, HTML document size, declared lazy loading for images and the number of external scripts referenced in the HTML.

Useful thresholds, not universal laws

Some rules use transparent working ranges. For example, a title of roughly 10–60 characters and a meta description of roughly 50–160 characters receive a pass. About 250 visible words receives a pass for useful copy; 100–249 receives a warning. A server-side fetch within about 1.5 seconds passes, 1.5–3 seconds warns, and over 3 seconds fails that rule.

Likewise, HTML up to about 250 KB passes the document-size rule, 250–750 KB warns, and larger documents fail it. Ten or fewer external scripts pass that specific count rule, 11–20 warn and more than 20 fail. These boundaries make the assessment consistent; they are not claims that every page outside a range is bad or every page inside it is good.

How scoring and priorities work

Each check earns a fraction between zero and one. A result at 0.95 or above is shown as a pass; 0.45–0.94 is a warning; below 0.45 is a fail. Binary checks usually earn either zero or one, while range and ratio checks can earn partial credit.

Checks are weighted from 1 to 8. Foundational issues such as HTTPS and the search-result title carry more influence than lower-impact enhancements. A category score is the weighted average of its checks. The overall score is the weighted average across every check, rounded to a whole number.

Overall scoreGradeInterpretation
90–100AA strong result within the checks this audit can perform.
80–89BGood foundations with worthwhile improvements still available.
65–79CA mixed result with several issues deserving attention.
50–64DImportant gaps are reducing the strength of the page.
0–49EMultiple high-impact foundations need attention.

The automated action plan takes up to eight non-passing checks and orders them first by severity—critical, high, medium, then low—and then by weight. That produces a consistent starting order, but it cannot know your budget, platform constraints or commercial priorities. A human review exists for that context.

What the free and paid reports show

Free snapshot

The free result includes the overall and category scores, grade, summary counts and the public detail for five useful checks:

  • secure HTTPS connection;
  • search-result title;
  • search-result description;
  • clear contact or enquiry route; and
  • mobile-friendly viewport.

It can also show neutral counts by category for locked findings. Premium titles, evidence, impacts, recommendations and metrics are not included in the free API response, which is why blurred cards cannot simply be revealed in the browser.

Complete report — £29 one-off

The complete report unlocks every finding returned for that audit, including its status, severity, detected evidence, likely impact and practical recommendation. It also includes supporting metrics and the prioritised automated action plan.

Human review — £99 one-off

The human review includes the complete report. A website specialist then considers the findings in business context, filters false priorities and adds a tailored order of work. It is useful when choosing what to do first matters more than simply seeing every check.

Monthly monitoring

The £15 monthly plan reschedules this diagnostic for one domain each month and provides refreshed results and change alerts. The £59 monthly Agency plan extends scheduled monitoring to up to 10 authorised client domains with shareable, agency-friendly reports. Neither is continuous uptime or security monitoring.

What this audit cannot tell you

The score is a directional diagnostic, not a Google score, certification or promise of ranking, enquiries, revenue, accessibility compliance, legal compliance or security.

  • It is not a whole-site crawl. The submitted public page is the primary subject, with limited checks of standard site files.
  • It does not render JavaScript as a full browser. Content inserted only after scripts run, interaction or consent may not be visible to the parser.
  • It is not a lab or field performance suite. Fetch time is measured from the audit server. It is not Core Web Vitals, Lighthouse, PageSpeed Insights or real-user data.
  • It does not inspect search platforms. Rankings, Google index coverage, Business Profile ownership, listings, reviews, backlinks and competitors are outside the automated scope.
  • It is not a complete accessibility audit. It cannot assess every WCAG criterion, keyboard journey, screen-reader experience, visual contrast state or cognitive barrier.
  • It is not a security test. Header observations are limited and it performs no vulnerability scan or penetration testing.
  • It is not legal advice. A detected privacy link does not prove that the notice is accurate or that a website complies with data, consumer, advertising or accessibility law.
  • Websites can vary. Bot protection, location, personalisation, authentication, transient errors and redirects can change what is returned.

Automated detection can produce false positives or miss something a person would notice. A high score therefore means strong coverage of these defined rules, not that the whole online presence is complete.

Using the results well

  1. Confirm that the final page and detected evidence match what a normal visitor sees.
  2. Start with failed critical and high-severity items, but consider effort, platform risk and business value.
  3. Back up the website and test changes on an appropriate staging environment where possible.
  4. Use specialist testing for security, accessibility, law, analytics, search performance or complex development decisions.
  5. Run a fresh audit after changes to confirm that detectable signals improved.

Questions about a report or a suspected incorrect result can be sent through the support page. Include the report reference and domain, but never send a password or full payment-card details.

Run a free website audit